@valentinkolb/filegate 2.4.0 → 2.5.2

package/src/lib/index.ts

@@ -1,325 +0,0 @@
-import { SQL } from "bun";
-import type { FileInfo } from "../schemas";
-
-type StatInfo = {
-  dev: number;
-  ino: number;
-  size: number;
-  mtimeMs: number;
-  isDirectory: boolean;
-};
-
-export type IndexOutcome = {
-  id: string;
-  action: "existing" | "moved" | "added";
-};
-
-export type IndexStats = {
-  totalFiles: number;
-  totalDirs: number;
-  dbSizeBytes: number;
-  lastScanAt: number | null;
-};
-
-export type ScanState = {
-  mtimeMs: number;
-  scannedAt: number;
-};
-
-let sql: InstanceType<typeof SQL> | null = null;
-
-const getSql = (): InstanceType<typeof SQL> => {
-  if (!sql) throw new Error("index not initialized");
-  return sql;
-};
-
-const isSqliteUrl = (url: string): boolean => {
-  return url === ":memory:" || url.startsWith("sqlite:") || url.startsWith("file:");
-};
-
-const escapeLike = (value: string): string => value.replace(/[\\%_]/g, "\\$&");
-
-// --- Init ---
-export const initIndex = async (databaseUrl: string): Promise<void> => {
-  sql = new SQL(databaseUrl);
-
-  if (isSqliteUrl(databaseUrl)) {
-    await sql`PRAGMA journal_mode = WAL`.catch(() => {});
-    await sql`PRAGMA synchronous = NORMAL`.catch(() => {});
-  }
-
-  await sql`
-    CREATE TABLE IF NOT EXISTS file_index (
-      id TEXT PRIMARY KEY,
-      base_path TEXT NOT NULL,
-      rel_path TEXT NOT NULL,
-      dev INTEGER NOT NULL,
-      ino INTEGER NOT NULL,
-      size INTEGER NOT NULL,
-      mtime_ms INTEGER NOT NULL,
-      is_dir INTEGER NOT NULL DEFAULT 0,
-      indexed_at INTEGER NOT NULL,
-      UNIQUE(base_path, rel_path)
-    )
-  `;
-
-  await sql`CREATE INDEX IF NOT EXISTS idx_file_dev_ino ON file_index(dev, ino)`;
-  await sql`CREATE INDEX IF NOT EXISTS idx_file_base ON file_index(base_path)`;
-
-  await sql`
-    CREATE TABLE IF NOT EXISTS scan_state (
-      base_path TEXT NOT NULL,
-      dir_path TEXT NOT NULL,
-      mtime_ms INTEGER NOT NULL,
-      scanned_at INTEGER NOT NULL,
-      PRIMARY KEY(base_path, dir_path)
-    )
-  `;
-};
-
-export const closeIndex = async (): Promise<void> => {
-  await sql?.close();
-  sql = null;
-};
-
-// --- UUID v7 Generator ---
-export const generateId = (): string => {
-  const bytes = new Uint8Array(16);
-  const now = Date.now();
-
-  let time = now;
-  for (let i = 5; i >= 0; i--) {
-    bytes[i] = time & 0xff;
-    time = Math.floor(time / 256);
-  }
-
-  globalThis.crypto.getRandomValues(bytes.subarray(6));
-
-  bytes[6] = ((bytes[6] ?? 0) & 0x0f) | 0x70;
-  bytes[8] = ((bytes[8] ?? 0) & 0x3f) | 0x80;
-
-  const hex = Array.from(bytes)
-    .map((b) => b.toString(16).padStart(2, "0"))
-    .join("");
-
-  return `${hex.slice(0, 8)}-${hex.slice(8, 12)}-${hex.slice(12, 16)}-${hex.slice(16, 20)}-${hex.slice(20)}`;
-};
-
-// --- Core CRUD ---
-export const indexFile = async (
-  basePath: string,
-  relPath: string,
-  s: StatInfo,
-  indexedAt: number = Date.now(),
-): Promise<IndexOutcome> => {
-  const db = getSql();
-
-  const [existingByPath] = await db`
-    SELECT id FROM file_index WHERE base_path = ${basePath} AND rel_path = ${relPath}
-  `;
-
-  if (existingByPath) {
-    await db`
-      UPDATE file_index
-      SET dev = ${s.dev}, ino = ${s.ino}, size = ${s.size}, mtime_ms = ${s.mtimeMs},
-          is_dir = ${s.isDirectory ? 1 : 0}, indexed_at = ${indexedAt}
-      WHERE id = ${existingByPath.id}
-    `;
-    return { id: existingByPath.id, action: "existing" };
-  }
-
-  const [existingByInode] = await db`
-    SELECT id FROM file_index WHERE dev = ${s.dev} AND ino = ${s.ino}
-  `;
-
-  if (existingByInode) {
-    await db`
-      UPDATE file_index
-      SET base_path = ${basePath}, rel_path = ${relPath}, size = ${s.size}, mtime_ms = ${s.mtimeMs},
-          is_dir = ${s.isDirectory ? 1 : 0}, indexed_at = ${indexedAt}
-      WHERE id = ${existingByInode.id}
-    `;
-    return { id: existingByInode.id, action: "moved" };
-  }
-
-  const id = generateId();
-  await db`
-    INSERT INTO file_index (id, base_path, rel_path, dev, ino, size, mtime_ms, is_dir, indexed_at)
-    VALUES (${id}, ${basePath}, ${relPath}, ${s.dev}, ${s.ino}, ${s.size}, ${s.mtimeMs},
-            ${s.isDirectory ? 1 : 0}, ${indexedAt})
-  `;
-
-  return { id, action: "added" };
-};
-
-export const resolveId = async (id: string): Promise<{ basePath: string; relPath: string } | null> => {
-  const db = getSql();
-  const [row] = await db`SELECT base_path, rel_path FROM file_index WHERE id = ${id}`;
-  return row ? { basePath: row.base_path, relPath: row.rel_path } : null;
-};
-
-export const identifyPath = async (basePath: string, relPath: string): Promise<string | null> => {
-  const db = getSql();
-  const [row] = await db`SELECT id FROM file_index WHERE base_path = ${basePath} AND rel_path = ${relPath}`;
-  return row?.id ?? null;
-};
-
-export const updateIndexPath = async (id: string, newBasePath: string, newRelPath: string): Promise<void> => {
-  const db = getSql();
-  await db`UPDATE file_index SET base_path = ${newBasePath}, rel_path = ${newRelPath} WHERE id = ${id}`;
-};
-
-export const removeFromIndex = async (basePath: string, relPath: string): Promise<void> => {
-  const db = getSql();
-  await db`DELETE FROM file_index WHERE base_path = ${basePath} AND rel_path = ${relPath}`;
-};
-
-export const removeFromIndexRecursive = async (basePath: string, relPath: string): Promise<void> => {
-  const db = getSql();
-
-  if (!relPath) {
-    await db`DELETE FROM file_index WHERE base_path = ${basePath}`;
-    return;
-  }
-
-  const prefix = `${escapeLike(relPath)}/`;
-  const likePattern = `${prefix}%`;
-
-  await db`
-    DELETE FROM file_index
-    WHERE base_path = ${basePath}
-      AND (rel_path = ${relPath} OR rel_path LIKE ${likePattern} ESCAPE '\\')
-  `;
-};
-
-// --- Scan State ---
-export const getScanState = async (basePath: string, dirPath: string): Promise<ScanState | null> => {
-  const db = getSql();
-  const [row] = await db`
-    SELECT mtime_ms, scanned_at FROM scan_state WHERE base_path = ${basePath} AND dir_path = ${dirPath}
-  `;
-  return row ? { mtimeMs: row.mtime_ms, scannedAt: row.scanned_at } : null;
-};
-
-export const setScanState = async (basePath: string, dirPath: string, mtimeMs: number, scannedAt: number): Promise<void> => {
-  const db = getSql();
-  const [row] = await db`
-    SELECT 1 as present FROM scan_state WHERE base_path = ${basePath} AND dir_path = ${dirPath}
-  `;
-  if (row) {
-    await db`
-      UPDATE scan_state SET mtime_ms = ${mtimeMs}, scanned_at = ${scannedAt}
-      WHERE base_path = ${basePath} AND dir_path = ${dirPath}
-    `;
-    return;
-  }
-
-  await db`
-    INSERT INTO scan_state (base_path, dir_path, mtime_ms, scanned_at)
-    VALUES (${basePath}, ${dirPath}, ${mtimeMs}, ${scannedAt})
-  `;
-};
-
-export const touchIndexedAtUnderDir = async (
-  basePath: string,
-  dirPath: string,
-  indexedAt: number,
-): Promise<void> => {
-  const db = getSql();
-
-  if (!dirPath) {
-    await db`UPDATE file_index SET indexed_at = ${indexedAt} WHERE base_path = ${basePath}`;
-    return;
-  }
-
-  const prefix = `${escapeLike(dirPath)}/`;
-  const likePattern = `${prefix}%`;
-
-  await db`
-    UPDATE file_index
-    SET indexed_at = ${indexedAt}
-    WHERE base_path = ${basePath}
-      AND (rel_path = ${dirPath} OR rel_path LIKE ${likePattern} ESCAPE '\\')
-  `;
-};
-
-export const removeStaleEntries = async (basePath: string, beforeMs: number): Promise<number> => {
-  const db = getSql();
-  const [countRow] = await db`
-    SELECT COUNT(*) as count FROM file_index WHERE base_path = ${basePath} AND indexed_at < ${beforeMs}
-  `;
-  const count = Number(countRow?.count ?? 0);
-  await db`DELETE FROM file_index WHERE base_path = ${basePath} AND indexed_at < ${beforeMs}`;
-  return count;
-};
-
-// --- Batch ---
-export const bulkResolve = async (
-  ids: string[],
-): Promise<Record<string, { basePath: string; relPath: string } | null>> => {
-  if (ids.length === 0) return {};
-
-  const db = getSql();
-  const rows = await db`SELECT id, base_path, rel_path FROM file_index WHERE id IN ${db(ids)}`;
-  const map = new Map<string, { basePath: string; relPath: string }>();
-
-  for (const row of rows) {
-    map.set(row.id, { basePath: row.base_path, relPath: row.rel_path });
-  }
-
-  const result: Record<string, { basePath: string; relPath: string } | null> = {};
-  for (const id of ids) {
-    result[id] = map.get(id) ?? null;
-  }
-
-  return result;
-};
-
-export const enrichFileInfo = async (info: FileInfo, basePath: string): Promise<FileInfo> => {
-  const fileId = await identifyPath(basePath, info.path);
-  return fileId ? { ...info, fileId } : info;
-};
-
-export const enrichFileInfoBatch = async (infos: FileInfo[], basePath: string): Promise<FileInfo[]> => {
-  if (infos.length === 0) return infos;
-  const db = getSql();
-  const paths = infos.map((i) => i.path);
-  const rows = await db`
-    SELECT rel_path, id FROM file_index WHERE base_path = ${basePath} AND rel_path IN ${db(paths)}
-  `;
-  const pathToId = new Map<string, string>();
-  for (const row of rows as { rel_path: string; id: string }[]) {
-    pathToId.set(row.rel_path, row.id);
-  }
-  return infos.map((info) => {
-    const fileId = pathToId.get(info.path);
-    return fileId ? { ...info, fileId } : info;
-  });
-};
-
-// --- Stats ---
-export const getIndexStats = async (): Promise<IndexStats> => {
-  const db = getSql();
-
-  const [fileRow] = await db`SELECT COUNT(*) as count FROM file_index WHERE is_dir = 0`;
-  const [dirRow] = await db`SELECT COUNT(*) as count FROM file_index WHERE is_dir = 1`;
-  const [scanRow] = await db`SELECT MAX(scanned_at) as last_scan_at FROM scan_state`;
-
-  let dbSizeBytes = 0;
-  try {
-    const [pageCountRow] = await db`PRAGMA page_count`;
-    const [pageSizeRow] = await db`PRAGMA page_size`;
-    const pageCount = Number(pageCountRow?.page_count ?? 0);
-    const pageSize = Number(pageSizeRow?.page_size ?? 0);
-    dbSizeBytes = pageCount * pageSize;
-  } catch {
-    dbSizeBytes = 0;
-  }
-
-  return {
-    totalFiles: Number(fileRow?.count ?? 0),
-    totalDirs: Number(dirRow?.count ?? 0),
-    dbSizeBytes,
-    lastScanAt: scanRow?.last_scan_at ?? null,
-  };
-};

package/src/lib/openapi.ts

@@ -1,48 +0,0 @@
-import { resolver, type GenerateSpecOptions } from "hono-openapi";
-import type { ZodType } from "zod";
-import { config } from "../config";
-
-/** JSON response helper for OpenAPI docs */
-export const jsonResponse = <T extends ZodType>(schema: T, description: string) => ({
-  description,
-  content: { "application/json": { schema: resolver(schema) } },
-});
-
-/** Binary/stream response helper */
-export const binaryResponse = (mimeType: string, description: string) => ({
-  description,
-  content: { [mimeType]: { schema: { type: "string" as const, format: "binary" } } },
-});
-
-/** OpenAPI spec metadata */
-export const openApiMeta: Partial<GenerateSpecOptions> = {
-  documentation: {
-    info: {
-      title: "File Proxy API",
-      version: "1.0.0",
-      description: "Secure file proxy with streaming uploads/downloads and resumable chunked uploads",
-    },
-    servers: [{ url: `http://localhost:${config.port}`, description: "File Proxy Server" }],
-    tags: [
-      { name: "Health", description: "Health check endpoint" },
-      { name: "Files", description: "File operations (info, download, upload, mkdir, move, copy, delete)" },
-      { name: "Search", description: "File search with glob patterns" },
-      { name: "Upload", description: "Resumable chunked uploads" },
-      { name: "Index", description: "File index management" },
-    ],
-    components: {
-      securitySchemes: {
-        bearerAuth: {
-          type: "http",
-          scheme: "bearer",
-          description: "Bearer token authentication",
-        },
-      },
-    },
-  },
-};
-
-/** Security requirement for authenticated routes */
-export const requiresAuth = {
-  security: [{ bearerAuth: [] as string[] }],
-};

package/src/lib/ownership.ts

@@ -1,133 +0,0 @@
-import { chown, chmod, readdir, stat } from "node:fs/promises";
-import { join } from "node:path";
-import { dirname } from "node:path";
-import { config } from "../config";
-
-export type Ownership = {
-  uid: number;
-  gid: number;
-  mode: number; // octal, e.g. 0o600
-  dirMode?: number; // octal, optional - if not set, derived from mode
-};
-
-// Derive directory mode from file mode (add x where r is set)
-// 644 → 755, 600 → 700, 664 → 775
-export const fileModeToDirectoryMode = (fileMode: number): number => {
-  let dirMode = fileMode;
-  if (fileMode & 0o400) dirMode |= 0o100; // owner read → owner exec
-  if (fileMode & 0o040) dirMode |= 0o010; // group read → group exec
-  if (fileMode & 0o004) dirMode |= 0o001; // other read → other exec
-  return dirMode;
-};
-
-// Get effective directory mode (explicit or derived from file mode)
-export const getEffectiveDirMode = (ownership: Ownership): number => {
-  return ownership.dirMode ?? fileModeToDirectoryMode(ownership.mode);
-};
-
-export const parseOwnershipHeaders = (req: Request): Ownership | null => {
-  const uid = req.headers.get("X-Owner-UID");
-  const gid = req.headers.get("X-Owner-GID");
-  const mode = req.headers.get("X-File-Mode");
-  const dirMode = req.headers.get("X-Dir-Mode");
-
-  if (!uid || !gid || !mode) return null;
-
-  const parsedMode = parseInt(mode, 8);
-  if (isNaN(parsedMode)) return null;
-
-  const parsedDirMode = dirMode ? parseInt(dirMode, 8) : undefined;
-  if (dirMode && isNaN(parsedDirMode!)) return null;
-
-  return {
-    uid: parseInt(uid, 10),
-    gid: parseInt(gid, 10),
-    mode: parsedMode,
-    dirMode: parsedDirMode,
-  };
-};
-
-export const parseOwnershipBody = (body: {
-  ownerUid?: number;
-  ownerGid?: number;
-  mode?: string;
-  dirMode?: string;
-}): Ownership | null => {
-  if (body.ownerUid == null || body.ownerGid == null || !body.mode) return null;
-
-  const mode = parseInt(body.mode, 8);
-  if (isNaN(mode)) return null;
-
-  const dirMode = body.dirMode ? parseInt(body.dirMode, 8) : undefined;
-  if (body.dirMode && isNaN(dirMode!)) return null;
-
-  return { uid: body.ownerUid, gid: body.ownerGid, mode, dirMode };
-};
-
-export const applyOwnership = async (path: string, ownership: Ownership | null): Promise<string | null> => {
-  if (!ownership) return null;
-
-  const uid = config.devUid ?? ownership.uid;
-  const gid = config.devGid ?? ownership.gid;
-
-  if (config.isDev) {
-    console.log(
-      `[DEV] chown ${path}: ${ownership.uid}->${uid}, ${ownership.gid}->${gid}, mode=${ownership.mode.toString(8)}`,
-    );
-  }
-
-  try {
-    await chown(path, uid, gid);
-    await chmod(path, ownership.mode);
-    return null;
-  } catch (e: any) {
-    if (e.code === "EPERM") return "permission denied (not root?)";
-    if (e.code === "EINVAL") return `invalid uid=${uid} or gid=${gid}`;
-    return `ownership failed: ${e.message}`;
-  }
-};
-
-// Apply ownership to directory chain from targetDir up to (not including) basePath
-export const applyOwnershipToNewDirs = async (
-  targetDir: string,
-  basePath: string,
-  ownership: Ownership,
-): Promise<void> => {
-  const dirMode = getEffectiveDirMode(ownership);
-  const dirOwnership: Ownership = { ...ownership, mode: dirMode };
-
-  let current = targetDir;
-  while (current !== basePath && current.startsWith(basePath + "/")) {
-    await applyOwnership(current, dirOwnership);
-    current = dirname(current);
-  }
-};
-
-// Apply ownership recursively to a file or directory (and all its contents)
-export const applyOwnershipRecursive = async (path: string, ownership: Ownership | null): Promise<string | null> => {
-  if (!ownership) return null;
-
-  const s = await stat(path);
-
-  if (s.isDirectory()) {
-    // Apply directory mode to the directory itself
-    const dirMode = getEffectiveDirMode(ownership);
-    const dirOwnership: Ownership = { ...ownership, mode: dirMode };
-    const err = await applyOwnership(path, dirOwnership);
-    if (err) return err;
-
-    // Recursively apply to contents
-    const entries = await readdir(path, { withFileTypes: true });
-    for (const entry of entries) {
-      const fullPath = join(path, entry.name);
-      const err = await applyOwnershipRecursive(fullPath, ownership);
-      if (err) return err;
-    }
-  } else {
-    // Apply file mode to files
-    const err = await applyOwnership(path, ownership);
-    if (err) return err;
-  }
-
-  return null;
-};

package/src/lib/path.ts

@@ -1,128 +0,0 @@
-import { realpath, mkdir } from "node:fs/promises";
-import { join, normalize, dirname, basename } from "node:path";
-import { config } from "../config";
-import { applyOwnershipToNewDirs, type Ownership } from "./ownership";
-
-export type PathResult =
-  | { ok: true; realPath: string; basePath: string }
-  | { ok: false; error: string; status: 400 | 403 | 404 };
-
-// Cache for resolved base paths (they don't change at runtime)
-const realBaseCache = new Map<string, string>();
-
-const getRealBase = async (basePath: string): Promise<string | null> => {
-  const cached = realBaseCache.get(basePath);
-  if (cached) return cached;
-
-  try {
-    const realBase = await realpath(basePath);
-    realBaseCache.set(basePath, realBase);
-    return realBase;
-  } catch {
-    return null;
-  }
-};
-
-export type ValidatePathOptions = {
-  /** If true, allows operating on the base path itself */
-  allowBasePath?: boolean;
-  /** If true, creates parent directories if they don't exist */
-  createParents?: boolean;
-  /** Ownership to apply to newly created directories */
-  ownership?: Ownership | null;
-};
-
-/**
- * Validates path is within allowed base paths, resolves symlinks.
- * Optionally creates parent directories with ownership.
- */
-export const validatePath = async (path: string, options: ValidatePathOptions = {}): Promise<PathResult> => {
-  const { allowBasePath = false, createParents = false, ownership = null } = options;
-  const cleaned = normalize(path);
-
-  // Find matching base
-  let basePath: string | null = null;
-  for (const base of config.allowedPaths) {
-    const cleanBase = normalize(base);
-    if (cleaned === cleanBase) {
-      if (!allowBasePath) {
-        return { ok: false, error: "cannot operate on base path", status: 403 };
-      }
-      basePath = cleanBase;
-      break;
-    }
-    if (cleaned.startsWith(cleanBase + "/")) {
-      basePath = cleanBase;
-      break;
-    }
-  }
-
-  if (!basePath) {
-    return { ok: false, error: "path not allowed", status: 403 };
-  }
-
-  // Create parent directories if requested (AFTER base validation)
-  if (createParents) {
-    const parentPath = dirname(cleaned);
-    await mkdir(parentPath, { recursive: true });
-
-    // Apply ownership to newly created directories
-    if (ownership) {
-      const realBase = await getRealBase(basePath);
-      if (realBase) {
-        await applyOwnershipToNewDirs(parentPath, realBase, ownership);
-      }
-    }
-  }
-
-  // Resolve symlinks
-  let realPath: string;
-  try {
-    realPath = await realpath(cleaned);
-  } catch (e: any) {
-    if (e.code === "ENOENT") {
-      // Path doesn't exist yet - validate parent
-      try {
-        const parentReal = await realpath(dirname(cleaned));
-        realPath = join(parentReal, basename(cleaned));
-      } catch {
-        return { ok: false, error: "parent path not found", status: 404 };
-      }
-    } else {
-      return { ok: false, error: "path resolution failed", status: 400 };
-    }
-  }
-
-  // Verify still within base after symlink resolution (cached)
-  const realBase = await getRealBase(basePath);
-  if (!realBase) {
-    return { ok: false, error: "base path invalid", status: 500 as any };
-  }
-
-  if (realPath !== realBase && !realPath.startsWith(realBase + "/")) {
-    return { ok: false, error: "symlink escape not allowed", status: 403 };
-  }
-
-  return { ok: true, realPath, basePath: realBase };
-};
-
-export type SameBaseResult =
-  | { ok: true; realPath: string; basePath: string; realTo: string }
-  | { ok: false; error: string; status: 400 | 403 | 404 };
-
-/**
- * Validates both paths are in the same base (for move/copy).
- */
-export const validateSameBase = async (from: string, to: string): Promise<SameBaseResult> => {
-  const fromResult = await validatePath(from);
-  if (!fromResult.ok) return fromResult;
-
-  const toResult = await validatePath(to);
-  if (!toResult.ok) return toResult;
-
-  if (fromResult.basePath !== toResult.basePath) {
-    return { ok: false, error: "cross-basepath not allowed", status: 400 };
-  }
-
-  return { ...fromResult, realTo: toResult.realPath };
-};

package/src/lib/response.ts

@@ -1,10 +0,0 @@
-export const json = <T>(data: T, status = 200) =>
-  Response.json(data, { status });
-
-export const error = (msg: string, status = 400) =>
-  Response.json({ error: msg }, { status });
-
-export const notFound = (msg = "not found") => error(msg, 404);
-export const forbidden = (msg = "forbidden") => error(msg, 403);
-export const badRequest = (msg: string) => error(msg, 400);
-export const serverError = (msg = "internal error") => error(msg, 500);